US20100325415A1 - Controlling Media Distribution - Google Patents

Controlling Media Distribution Download PDF

Info

Publication number
US20100325415A1
US20100325415A1 US12/866,474 US86647408A US2010325415A1 US 20100325415 A1 US20100325415 A1 US 20100325415A1 US 86647408 A US86647408 A US 86647408A US 2010325415 A1 US2010325415 A1 US 2010325415A1
Authority
US
United States
Prior art keywords
media
time
chunk
cryptographic
cryptographic materials
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/866,474
Inventor
Borje Ohlman
Goran Selander
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Assigned to TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) reassignment TELEFONAKTIEBOLAGET LM ERICSSON (PUBL) ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: OHLMAN, BORJE, SELANDER, GORAN
Publication of US20100325415A1 publication Critical patent/US20100325415A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/1881Arrangements for providing special services to substations for broadcast or conference, e.g. multicast with schedule organisation, e.g. priority, sequence management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/1836Arrangements for providing special services to substations for broadcast or conference, e.g. multicast with heterogeneous network architecture
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/61Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio
    • H04L65/611Network streaming of media packets for supporting one-way streaming services, e.g. Internet radio for multicast or broadcast
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/60Network streaming of media packets
    • H04L65/70Media network packetisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/80Responding to QoS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/14Multichannel or multilink protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher

Definitions

  • the invention relates to the field of controlling media distribution.
  • radio and television broadcasts have used real-time transmission technologies such as FM, VHF, UHF, satellite and dedicated cable networks.
  • real-time transmission technologies such as FM, VHF, UHF, satellite and dedicated cable networks.
  • packet-switched based technologies such as the Internet, mobile networks and so on.
  • the new types of broadcast technology introduce many benefits over traditional broadcast technologies, such as more efficient use of bandwidth, they do have some drawbacks.
  • One drawback is that the new broadcast technologies can introduce a non-negligible delay of a transmission compared to traditional technologies. This can lead to problems where, for example, a receiver switches between technologies while listing to e.g. a radio program.
  • a receiver switches between technologies while listing to e.g. a radio program.
  • it can be very annoying if some users hear or see what happens before others. This may occur if, for example, you hear your neighbour (who is watching the broadcast using a different technology to you) cheering before you have seen the goal being scored.
  • Another example of where this may be a problem is if a separate transmission of subtitles for a media broadcast is made from the main broadcast. The subtitles and the media broadcast should be broadcast to appear to the user at the correct time.
  • FIG. 1 The problem is illustrated in FIG. 1 , in which a media source 1 broadcasts a media signal.
  • a user who receives the broadcast via a cable network using a Set Top Box (STB) 2 and television 3 may receive the broadcast at a different time to a user who receives the broadcast using a laptop 4 via the Internet.
  • STB Set Top Box
  • two users connected to the Internet may receive media at different times.
  • Another problem caused by receiving broadcasts at different times arises during the distribution of stock quotes, in which receivers close to a stock quotation source can receive information earlier than distant receivers.
  • the word “media” may be used interchangeably herein with the word “content”, and refers to data that is managed and requires controlled distribution.
  • the TESLA broadcast authentication protocol as described in http://www.ece.cmu.edu/ ⁇ adrain/projects/tesla-crytobytes/tesla-cryptobytes.pdf, describes source authentication of broadcast data, but does not address confidentiality.
  • “A survey of broadcast encryption”, http://math.scu.edu/ ⁇ jhorwitz/pubs/broadcast.pdf provides an overview of several different broadcast encryption schemes. The broadcast encryption schemes described require an initial sharing of keys between each authorized receiver and the broadcaster.
  • the inventors have realized the problems associated with prior art methods of broadcasting, and have invented a system that uses one or more low bandwidth control channels to publish one-time cryptographic keys to be used to decode an encrypted media stream received via other sources.
  • the one-time cryptographic keys are published at a specific time, which prevents some users having an advance preview of media depending on the transport technology they are using to receive a media channel, and is advantageous in fields such as distributing stock quotes and showing sporting events in real time.
  • a receiver node receives an encrypted media chunk over a media channel, and stores the encrypted media chunk in a memory. After receiving the encrypted media chunk, the receiver node receives cryptographic materials relating to the media chunk over a time guaranteed control channel, and uses the cryptographic materials to decrypt the encrypted media chunk. In this way, the receiver cannot render the media chunk until it has received the cryptographic materials. If all media receiver nodes in a network receive the cryptographic materials at approximately the same time, then all of the receiver nodes will render the media chunk at approximately the same time.
  • the method optionally further comprises using a value derived from the received cryptographic materials as a seed value for seeding a pseudo random number generator, and generating a One Time Pad using the seed value and the pseudo random number generator.
  • the One Time Pad is then used to decrypt the encrypted media chunk.
  • the entire One Time Pad which is as large as the media chunk, need not be sent. However, where bandwidth is plentiful, then it is possible that the One Time Pad is sent directly as the cryptographic materials.
  • the received cryptographic materials are in a plaintext format.
  • control channel has predetermined Quality of Service characteristics
  • method further comprising receiving the cryptographic materials after a predetermined delay after receiving the encrypted media chunk, the predetermined delay determined using the Quality of Service characteristics of the control channel and an estimate of the media chunk arrival time based on the media chunk transmission time.
  • the method optionally comprises rendering the decrypted media chunk. This is for use in the case where, for example, the receiver node is a Set Top Box.
  • a method of transmitting time-controlled media comprising distributing cryptographic materials used to encrypt a media chunk, the cryptographic materials being sent over a time-guaranteed control channel such that the cryptographic materials are received by a remote receiver after reception of the encrypted media chunk.
  • a value derived from the cryptographic materials is used as a seed value for seeding a pseudo random number generator.
  • a One Time Pad is generated using the seed value and the pseudo random number generator, and the One Time Pad is then used to encrypt the media chunk.
  • the method comprises generating a plurality of seed values using a one-way hash function, each seed value of the plurality of seed values being associated with a media chunk.
  • the seed values can be sent in advance to a distributor of seed values.
  • a method of distributing time-controlled media comprising encrypting a media chunk using cryptographic materials and sending the encrypted media chunk over a media channel.
  • the cryptographic materials are distributed over a time-guaranteed control channel such that the cryptographic materials are received by a remote receiver node after the remote receiver receives the encrypted media chunk.
  • the receiver node receives the encrypted media chunk over the media channel and stores the encrypted media chunk in a memory at the receiver node.
  • the receiver node also receives the cryptographic materials over the time guaranteed channel, and uses the cryptographic materials to decrypt the encrypted media chunk.
  • the receiver node can then render the decrypted media chunk. In this way, the receiver node cannot render the media chunk until it has received the cryptographic materials. If all media receiver nodes in a network receive the cryptographic materials at approximately the same time, then all of the receiver nodes will render the media chunk at approximately the same time.
  • the method optionally comprises, prior to encrypting the media chunk, using a value derived from the cryptographic materials as a seed value for seeding a pseudo random number generator, generating a One Time Pad using the seed value and the pseudo random number generator, and using the One Time Pad to encrypt the media chunk.
  • the value derived from the received cryptographic materials is used as a seed value for seeding a pseudo random number generator, and a One Time Pad is generated using the seed value and the pseudo random number generator.
  • the One Time Pad is then used to decrypt the encrypted media chunk.
  • a receiver node for receiving time-controlled media.
  • the receiver node comprises a first receiver for receiving an encrypted media chunk over a media channel, a buffer arrangement in which to store the encrypted media chunk, a second receiver for receiving cryptographic materials relating to the media chunk over a time guaranteed control channel, processing means for matching received cryptographic materials to a corresponding stored media chunk, and further processing means for decrypting the encrypted media chunk using the received cryptographic materials.
  • a Control Channel Provider node for providing cryptographic materials related to time-controlled media chunks transmitted over a media channel.
  • the Control Channel Provider node comprises a receiver for receiving from a Service Provider node cryptographic materials to be used to decrypt a media chunk, and a transmitter for transmitting the cryptographic materials over a time-guaranteed control channel such that the cryptographic materials are arranged to be received by a remote node after the remote node has received the media chunk.
  • the transmitter is optionally arranged to transmit the cryptographic materials in a plaintext format.
  • the cryptographic materials comprise a seed value arranged to be used to generate a One Time Pad by seeding a pseudo random number generator.
  • the Control Channel Provider node optionally comprising means for determining when to transmit the cryptographic materials, the determination being made according on the basis of an estimated arrival time of the cryptographic material at the remote node.
  • the estimated arrival time of the cryptographic material is determined in part based according to a media chunk transmission time.
  • FIG. 1 illustrates schematically in a block diagram a media broadcast over different types of network
  • FIG. 2 illustrates schematically in a block diagram a system architecture according to an embodiment of the invention
  • FIG. 3 is a flow diagram illustrating steps according to an embodiment of the invention.
  • FIG. 4 is a signalling diagram illustrating signalling between nodes according to an embodiment of the invention.
  • FIG. 5 illustrates schematically the actions of a receiver according to an embodiment of the invention
  • FIG. 6 illustrates schematically in a block diagram a receiver according to an embodiment of the invention.
  • FIG. 7 illustrates schematically in a block diagram a Control Channel Provider node according to an embodiment of the invention.
  • a control signal is also broadcast using a control channel.
  • Any type of transmission technology that can provide delay guarantees can be used as the control channel.
  • Such technologies include, but are not limited to, technologies selected from any of traditional broadcast media (such as FM-radio, VHF, UHF, satellite, etc.), fixed telephony, circuit switched mobile telephony, and packet switched networks with QoS guarantees (RSVP enabled IP networks, ATM, etc.).
  • the media stream Prior to broadcast, the media stream is encrypted using a one-time pad derived from a sequence of one-time cryptographic keys.
  • the one-time cryptographic keys are broadcast in plaintext using the control channel.
  • the one-time cryptographic keys are sent with a delay that is acceptable for the specific service and realistic with respect to the used media channels, such that they should not arrive before packets from the corresponding media stream(s).
  • the keys are sent out consecutively at a certain rate or according to a certain scheme.
  • the introduced delayed transmission on the control channel can be predetermined and adapted to the slowest expected time for the receipt of the media stream.
  • the predetermined delay may be adapted to time constraints of the media delivery service, bearing in mind that channels providing media after the key has been received will be at a disadvantage compared to other media channels having advance preview.
  • the predetermined delay should be no more than an acceptable delay to the users of a specific service, and buffers used to store the media stream prior to the receipt of the one-time cryptographic keys must be dimensioned accordingly.
  • it is important to take into account the intrinsic delay characteristics of the control channel. There is thus an important balance to strike in order to comply with an acceptable delay from a service point of view and a required delay for avoiding advance preview based on the expected characteristics of the media channels.
  • a receiver may inform the sender(s) of media and/or keys that a key has been received prior to reception of corresponding media in order for the sender(s) to adjust the sending times to accomplish a change of the time order between reception of media and keys.
  • This can be extended such that all receivers feed back information about media reception in order to allow the sender of keys can adapt to the slowest media channel.
  • These alternative embodiments are not preferred, because they introduce further delays and receivers that receive the media stream early increase their risk of buffer overflow, and hence losing a portion of the media stream.
  • best-effort Internet does not provide any guarantees on time of delivery, so for time critical media delivery services it is not possible to define the delay of the control channel by the maximum delay on the media channel(s).
  • control channels or one central control channel.
  • the channel can be seen as a time/clock distribution.
  • Advantages of a central channel alternative include the simplicity of the control system and the reduced capacity needed for transmission of the control signal.
  • their individual delay can be used to calculate when cryptographic keys can be sent on the individual control channels.
  • the one time cryptographic keys are used as seed values to compute one-time pads (OTP), as described in the Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/.
  • OTPs are used to encrypt the media stream. After broadcasting the crypto keys on the control channel, the same one-time pads can be computed by any receiver and used to decrypt the encrypted content.
  • An advantage of this is that the media content, even though is may arrive at different times depending on the network over which it was received, cannot be decrypted until the OTP cryptographic keys are received, and this should be at approximately the same time for each receiver.
  • the OTP can be broadcast directly on the control channel to obtain the required timing properties, but that would be an inefficient use of bandwidth, since the OTP is as large as the media.
  • PRNG pseudo-random number generator
  • an OTP can be computed by both the broadcaster and each receiver.
  • the OTPs generated from the sequence of cryptographic keys can be concatenated into a “Super-OTP” of sufficient length for encrypting any media content of arbitrary size.
  • the cryptographic keys and corresponding “basic” OTPs can be generated “on demand”, e.g. during live broadcast.
  • the ratio between the (basic) OTP length and the cryptographic key length must be selected to comply with application specific requirements such as:
  • a large ratio means that a media player could in principle render the end of the media chunk (say a goal in a football match) before it is supposed to be displayed according to the distribution design.
  • the intended access control would thus be violated, but assuming the size of the advance peek media chunk is not large, this is not a problem in practise. Note that for applications such as stock quotes this is not a problem at all since it may not be necessary to present stock quotes in a particular order.
  • a receiving device such as a laptop computer or a Set Top Box (STB) should be capable of receiving and playing the broadcast, and so must be able to receive both a control channel and a media channel.
  • STB Set Top Box
  • FIG. 2 there is shown a receiver 5 capable of receiving a media channel 6 and a control channel 7 .
  • a Service Provider (SP) 6 provides the media stream and the cryptographic keys.
  • a Media Channel Provider (MCP) 7 and a Control Channel Provider (CCP) 8 receive the media stream and the cryptographic keys respectively from the SP 6 , and forward the media stream and the cryptographic keys to the receiver 5 .
  • the SP, MCP and CCP may partly or completely coincide.
  • E x (m) shall denote encryption of message m using key x.
  • the SP 6 protects the content for delivery over a media channel. It provides secret cryptographic keys for delivery over the control channel, associated meta-data such as relevant media identifier(s), time constraints for delivery and associated security management, e.g. the SP 6 may protect the cryptographic keys in transport to the CCP 8 using a security association contained in the agreement.
  • the CCP 8 distributes cryptographic keys in plaintext over a control channel, and the MCP 7 distributes the protected media stream.
  • the Receiver 5 receives both the encrypted media stream and the cryptographic keys, and decrypts the media stream using the cryptographic keys in order to show the content of the media stream.
  • the SP 6 sets up an agreement with one or multiple CCPs 8 .
  • a CCP 8 commits to distribute cryptographic keys at certain timeliness, and also to ensure the confidentiality of those keys before distribution.
  • the agreement contains any necessary information to establish a protected communication for transportation of cryptographic keys between the SP 6 and the CCP 8 (e.g. which keys to use in a standardized key transportation protocol). The nature of the agreement depends on the trust model between the SP 6 and of the CCPs 8 .
  • the SP 6 also sets up agreements with the MCPs 7 . This agreement does not require the same security setup as that with the CCPs 8 since the media sent to a MCP 7 is never decrypted by the MCP 8 .
  • the media channel need not be implemented as an electronic or optical communication network, but may also be in the form of a physical distribution of digital information such as CD/DVD, magnetic tapes, etc. provided the delay for such distribution is acceptable.
  • the media is divided into media chunks of a designated size.
  • the following numbering corresponds to the numbering of FIG. 3 :
  • the SP 6 generates a random (and secret) cryptographic key s of a given length
  • the SP 6 computes a One-Time Pad (OTP) x of length
  • PRNG Pseudo-Random Number Generator
  • PRNG Pseudo-Random Number Generator
  • the media channel need not be aligned with the control channel as long as the media is available before the control signal at the receiver 5 .
  • the receiver 5 receives the encrypted media c from the MCP 7 and stores the received encrypted media chunks in a buffer.
  • S6 Concurrently with steps S4 and S5, the cryptographic key s is protected and transported to the authorized CCP(s) 8 using the agreed key transport protocol and key transport keys.
  • SP may e.g. send E k (s), i.e. the cryptographic key s encrypted with the key transport key k.
  • the cryptographic key s is decrypted, if necessary, and distributed by the CCP(s) in plaintext over the control channel(s) at a certain time.
  • a header is added to each chunk of media, the header comprising a media identifier and a sequence number of the chunk. If the media channel is not multiplexed with other media channels, the media channel ID can be made implicit, and need not be repeated for each chunk. If the media channel supports some internal sequence numbering of the chunks, the sequence number can also be implicit.
  • the control signal packets are provided with headers in the same manner. In this way, a given cryptographic key can be matched with a corresponding media chunk.
  • FIG. 3 does not discuss transport of the cryptographic key s between the SP 6 and the CCP 8 .
  • s can be transported, some examples of which are as follows:
  • the cryptographic keys used are the reversed hash chain i.e. s N , . . . , s 1 , since knowledge of one element allows derivation of elements with a higher index but not elements with a lower index, and so access to one key enables instant access to all previous keys, but not access to future keys.
  • FIG. 4 an example of signalling illustrates events taking place at different times and in the different nodes in a media and key distribution scenario according to an embodiment of the invention.
  • Protected content E x (m) is distributed using one or more Media Channel Providers over three different media channels (illustrated by dashed lines) having different bandwidths, and arriving at the Receiver 5 at times t 1 , t 2 and t 3 respectively.
  • Protected keys E k1 (s) and E k2 (s) are sent from the SP 6 to two Control Channel Providers CCP 1 and CCP 2 at times r 1 and r 2 , respectively, which may occur before or after the media transport.
  • the CCPs decrypt the key s and, on the basis of the QoS on their respective control channels, transmit the key s in plaintext at times u 1 and u 2 , respectively, such that they arrive at the Receiver at approximately time T C .
  • T C is calculated to be greater than any of t 1 , t 2 or t 3 to ensure that the key s arrives after the media.
  • Each key s is associated with a target arrival time T C , which is specified by the SP based on the timeliness requirements of the service and the expected arrival times of the content t 1 .
  • the relevant information, T C or information required to calculate T C (such as the expected delays for the media channels and the maximum acceptable delay for the service), is delivered from the SP to a CCP in conjunction with the delivery of the protected key.
  • CCP 1 schedules the key sending time u 1 based on the intended arrival time T C and characteristics of the control channel.
  • CCP 2 schedules the sending time u 2 based on the same intended arrival time T C and potentially different control channel characteristics.
  • a CCP must consider the possible different transmission times to different receivers to ensure that the arrival time of the key at the receiver does not significantly deviate from the target arrival time T C .
  • the SP estimates a required delay for the control signalling.
  • the estimate has a lower limit of the expected transmission times on the media channels and an upper limit by the service requirements. This should provide the SP with a ‘window’ of acceptable delays. If the SP does not have an acceptable window of delays, then it must select media channels with faster transmission time or loosen the service requirements.
  • the SP specifies a value of the predetermined delay of the control channel signalling within this interval. For a given encrypted media chunk E x (m), and its expected time(s) of arrival over relevant media channel(s) it is now possible to calculate T C based on the predetermined delay.
  • the Receiver 5 receives encrypted content over the media channel 9 and control data over the control channel 10 .
  • Encrypted media chunks are stored in a buffer arrangement 13 in the receiver 5 where they can be accessed based on media identifier and sequence number.
  • the CD/DVD constitutes the media channel itself and the media is already stored on the CD/DVD, and so the CD/DVD effectively acts as the “buffer”.
  • the control channel is scanned in real time by a processing unit with capacity matching the line speed of the control channel.
  • Each received control signal packet is placed in a media channel specific FIFO control signal buffer, part of buffer arrangement 13 , for further processing.
  • the processor is arranged to match received control data to a corresponding media chunk thereby enabling decryption of media chunk using the control data.
  • a decoding unit For each media channel, a decoding unit performs the following steps:
  • the first control signal buffer is read.
  • T2. The sequence number k is extracted from the control signal packet header and is used retrieve the corresponding encrypted media chunk c from the media channel buffer.
  • T3. the associated OTP x is computed using the PRNG with seed s as read from the control signal buffer. Because the SP and the receiver use the same PRNG and seed s, they will each generate the same OTP x.
  • the media m is now available to the receiver 5 in plaintext.
  • T5. The plaintext media m is rendered by the receiver.
  • T6. If needed, garbage collection could be implemented for the media channel buffer to avoid buffer overflow. This step can be interleaved with other steps.
  • a key buffer is provided in order to manage a scenario in which a media channel has a sufficiently large delay to cause media to appear after the corresponding key.
  • the key buffer may be included in the buffer arrangement 13 shown in FIG. 5 .
  • the receiver 5 comprises a first 11 and second 12 receiver for receiving signalling from the media channel 9 and the control channel 10 respectively.
  • the receivers may be constituted in a single receiver.
  • a buffer arrangement 13 is provided for storing received encrypted media chunks.
  • a processor 14 is also provided for using a cryptographic key received over the control channel to decrypt associated media chunks retrieved from the buffer arrangement 13 .
  • Means (not shown) are also provided to pass the decrypted media chunks to another function or node for rendering.
  • a receiver 15 is provided for receiving from a Service Provider node a cryptographic key to be used to decrypt a media chunk.
  • the received cryptographic key may itself be encrypted for protection during transport between a Service Provider and the Control Channel Provider node.
  • a processor 16 is provided for handling the cryptographic key, and a memory 17 may be provided for storing the cryptographic key.
  • the processor 16 determines when each cryptographic key should be sent on the time-guaranteed control channel to the receiver node, meaning that the control channel should have constant predictable delay. This determination may be based on QoS characteristics of the control channel.
  • a transmitter 18 is also provided for sending the cryptographic key to the receiver node 5 on the control channel 10 .
  • the cryptographic key is preferably sent in plaintext, in which case the processor must decrypt the cryptographic key prior to sending it.
  • the invention can be used for controlled distribution of any type of digital information that should only be disclosed at a certain time or pace, e.g. IPR protected material, stock quotes, live sports events, press releases etc.
  • the receiver does not need to pre-establish any security data with any party before the reception of cryptographic keys, since the keys are sent in plaintext.
  • the receiver need only wait until all cryptographic information is available before the encrypted media can be decrypted and rendered.
  • the end-user will wish to have access to the media content as soon as possible after the media and control data has been made available, and so it is likely that all recipients of the broadcast will be able to view it at the same time regardless of the broadcast technology used.
  • the time-guaranteed control channel only requires a narrow bandwidth, and therefore has low costs associated with it.

Abstract

A method and apparatus for distributing time-controlled media. A media chunk is encrypted using cryptographic materials and sending the encrypted media chunk over a media channel. The cryptographic materials are distributed over a time-guaranteed control channel such that the cryptographic materials are received by a remote receiver node after the remote receiver receives the encrypted media chunk. The receiver node receives the encrypted media chunk over the media channel and stores the encrypted media chunk in a memory at the receiver node. The receiver node also receives the cryptographic materials over the time guaranteed channel, and uses the cryptographic materials to decrypt the encrypted media chunk. In this way, the receiver node cannot render the media chunk until it has received the cryptographic materials.

Description

    TECHNICAL FIELD
  • The invention relates to the field of controlling media distribution.
    • BACKGROUND
  • Traditionally, radio and television broadcasts have used real-time transmission technologies such as FM, VHF, UHF, satellite and dedicated cable networks. However, other types of broadcast are becoming important alternatives. These include packet-switched based technologies such as the Internet, mobile networks and so on.
  • Whilst the new types of broadcast technology introduce many benefits over traditional broadcast technologies, such as more efficient use of bandwidth, they do have some drawbacks. One drawback is that the new broadcast technologies can introduce a non-negligible delay of a transmission compared to traditional technologies. This can lead to problems where, for example, a receiver switches between technologies while listing to e.g. a radio program. Furthermore, for transmission of live events such as sports, it can be very annoying if some users hear or see what happens before others. This may occur if, for example, you hear your neighbour (who is watching the broadcast using a different technology to you) cheering before you have seen the goal being scored. Another example of where this may be a problem is if a separate transmission of subtitles for a media broadcast is made from the main broadcast. The subtitles and the media broadcast should be broadcast to appear to the user at the correct time.
  • The problem is illustrated in FIG. 1, in which a media source 1 broadcasts a media signal. A user who receives the broadcast via a cable network using a Set Top Box (STB) 2 and television 3 may receive the broadcast at a different time to a user who receives the broadcast using a laptop 4 via the Internet. Likewise two users connected to the Internet may receive media at different times. Another problem caused by receiving broadcasts at different times arises during the distribution of stock quotes, in which receivers close to a stock quotation source can receive information earlier than distant receivers. The word “media” may be used interchangeably herein with the word “content”, and refers to data that is managed and requires controlled distribution.
  • The TESLA broadcast authentication protocol, as described in http://www.ece.cmu.edu/˜adrain/projects/tesla-crytobytes/tesla-cryptobytes.pdf, describes source authentication of broadcast data, but does not address confidentiality. There are a several known broadcast encryption schemes that address the problem of sending an encrypted message to a large user base such that the message can only be decrypted by a dynamically changing authorized subset. “A survey of broadcast encryption”, http://math.scu.edu/˜jhorwitz/pubs/broadcast.pdf provides an overview of several different broadcast encryption schemes. The broadcast encryption schemes described require an initial sharing of keys between each authorized receiver and the broadcaster.
    • SUMMARY
  • The inventors have realized the problems associated with prior art methods of broadcasting, and have invented a system that uses one or more low bandwidth control channels to publish one-time cryptographic keys to be used to decode an encrypted media stream received via other sources. The one-time cryptographic keys are published at a specific time, which prevents some users having an advance preview of media depending on the transport technology they are using to receive a media channel, and is advantageous in fields such as distributing stock quotes and showing sporting events in real time.
  • By introducing an acceptable delay to the control channel it is possible to ensure that the media distributed via different media channels will be played at the same time, provided that those channels experience a lower delay than the delay introduced to the control channel.
  • According to a first aspect of the invention, there is provided a method of receiving time-controlled media. A receiver node receives an encrypted media chunk over a media channel, and stores the encrypted media chunk in a memory. After receiving the encrypted media chunk, the receiver node receives cryptographic materials relating to the media chunk over a time guaranteed control channel, and uses the cryptographic materials to decrypt the encrypted media chunk. In this way, the receiver cannot render the media chunk until it has received the cryptographic materials. If all media receiver nodes in a network receive the cryptographic materials at approximately the same time, then all of the receiver nodes will render the media chunk at approximately the same time.
  • The method optionally further comprises using a value derived from the received cryptographic materials as a seed value for seeding a pseudo random number generator, and generating a One Time Pad using the seed value and the pseudo random number generator. The One Time Pad is then used to decrypt the encrypted media chunk. By using generating the One Time Pad using a seed value, the entire One Time Pad, which is as large as the media chunk, need not be sent. However, where bandwidth is plentiful, then it is possible that the One Time Pad is sent directly as the cryptographic materials.
  • As an option, the received cryptographic materials are in a plaintext format.
  • Optionally, the control channel has predetermined Quality of Service characteristics, and the method further comprising receiving the cryptographic materials after a predetermined delay after receiving the encrypted media chunk, the predetermined delay determined using the Quality of Service characteristics of the control channel and an estimate of the media chunk arrival time based on the media chunk transmission time.
  • The method optionally comprises rendering the decrypted media chunk. This is for use in the case where, for example, the receiver node is a Set Top Box.
  • According to a second aspect of the invention, there is provided a method of transmitting time-controlled media, the method comprising distributing cryptographic materials used to encrypt a media chunk, the cryptographic materials being sent over a time-guaranteed control channel such that the cryptographic materials are received by a remote receiver after reception of the encrypted media chunk.
  • Optionally, prior to encrypting the media chunk, a value derived from the cryptographic materials is used as a seed value for seeding a pseudo random number generator. A One Time Pad is generated using the seed value and the pseudo random number generator, and the One Time Pad is then used to encrypt the media chunk.
  • Optionally, the method comprises generating a plurality of seed values using a one-way hash function, each seed value of the plurality of seed values being associated with a media chunk. By generating a plurality of seed values, the seed values can be sent in advance to a distributor of seed values.
  • According to a third aspect of the invention, there is provided a method of distributing time-controlled media, the method comprising encrypting a media chunk using cryptographic materials and sending the encrypted media chunk over a media channel. The cryptographic materials are distributed over a time-guaranteed control channel such that the cryptographic materials are received by a remote receiver node after the remote receiver receives the encrypted media chunk. The receiver node receives the encrypted media chunk over the media channel and stores the encrypted media chunk in a memory at the receiver node. The receiver node also receives the cryptographic materials over the time guaranteed channel, and uses the cryptographic materials to decrypt the encrypted media chunk. The receiver node can then render the decrypted media chunk. In this way, the receiver node cannot render the media chunk until it has received the cryptographic materials. If all media receiver nodes in a network receive the cryptographic materials at approximately the same time, then all of the receiver nodes will render the media chunk at approximately the same time.
  • The method optionally comprises, prior to encrypting the media chunk, using a value derived from the cryptographic materials as a seed value for seeding a pseudo random number generator, generating a One Time Pad using the seed value and the pseudo random number generator, and using the One Time Pad to encrypt the media chunk. After receipt of the cryptographic materials at the receiver node, the value derived from the received cryptographic materials is used as a seed value for seeding a pseudo random number generator, and a One Time Pad is generated using the seed value and the pseudo random number generator. The One Time Pad is then used to decrypt the encrypted media chunk.
  • According to a fourth aspect of the invention, there is provided a receiver node for receiving time-controlled media. The receiver node comprises a first receiver for receiving an encrypted media chunk over a media channel, a buffer arrangement in which to store the encrypted media chunk, a second receiver for receiving cryptographic materials relating to the media chunk over a time guaranteed control channel, processing means for matching received cryptographic materials to a corresponding stored media chunk, and further processing means for decrypting the encrypted media chunk using the received cryptographic materials.
  • According to a fifth aspect of the invention, there is provided a Control Channel Provider node for providing cryptographic materials related to time-controlled media chunks transmitted over a media channel. The Control Channel Provider node comprises a receiver for receiving from a Service Provider node cryptographic materials to be used to decrypt a media chunk, and a transmitter for transmitting the cryptographic materials over a time-guaranteed control channel such that the cryptographic materials are arranged to be received by a remote node after the remote node has received the media chunk.
  • The transmitter is optionally arranged to transmit the cryptographic materials in a plaintext format.
  • As an option, the cryptographic materials comprise a seed value arranged to be used to generate a One Time Pad by seeding a pseudo random number generator.
  • The Control Channel Provider node optionally comprising means for determining when to transmit the cryptographic materials, the determination being made according on the basis of an estimated arrival time of the cryptographic material at the remote node. Optionally, the estimated arrival time of the cryptographic material is determined in part based according to a media chunk transmission time.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates schematically in a block diagram a media broadcast over different types of network;
  • FIG. 2 illustrates schematically in a block diagram a system architecture according to an embodiment of the invention;
  • FIG. 3 is a flow diagram illustrating steps according to an embodiment of the invention;
  • FIG. 4 is a signalling diagram illustrating signalling between nodes according to an embodiment of the invention;
  • FIG. 5 illustrates schematically the actions of a receiver according to an embodiment of the invention;
  • FIG. 6 illustrates schematically in a block diagram a receiver according to an embodiment of the invention; and
  • FIG. 7 illustrates schematically in a block diagram a Control Channel Provider node according to an embodiment of the invention.
    •  DETAILED DESCRIPTION
  • In addition to providing a media broadcast in the form of an encrypted media stream, a control signal is also broadcast using a control channel. Any type of transmission technology that can provide delay guarantees can be used as the control channel. Such technologies include, but are not limited to, technologies selected from any of traditional broadcast media (such as FM-radio, VHF, UHF, satellite, etc.), fixed telephony, circuit switched mobile telephony, and packet switched networks with QoS guarantees (RSVP enabled IP networks, ATM, etc.).
  • Prior to broadcast, the media stream is encrypted using a one-time pad derived from a sequence of one-time cryptographic keys. The one-time cryptographic keys are broadcast in plaintext using the control channel. The one-time cryptographic keys are sent with a delay that is acceptable for the specific service and realistic with respect to the used media channels, such that they should not arrive before packets from the corresponding media stream(s). The keys are sent out consecutively at a certain rate or according to a certain scheme. The introduced delayed transmission on the control channel can be predetermined and adapted to the slowest expected time for the receipt of the media stream. The predetermined delay may be adapted to time constraints of the media delivery service, bearing in mind that channels providing media after the key has been received will be at a disadvantage compared to other media channels having advance preview. The predetermined delay should be no more than an acceptable delay to the users of a specific service, and buffers used to store the media stream prior to the receipt of the one-time cryptographic keys must be dimensioned accordingly. When defining the delay of the transmission on the control channel, it is important to take into account the intrinsic delay characteristics of the control channel. There is thus an important balance to strike in order to comply with an acceptable delay from a service point of view and a required delay for avoiding advance preview based on the expected characteristics of the media channels.
  • In an alternative embodiment, a receiver may inform the sender(s) of media and/or keys that a key has been received prior to reception of corresponding media in order for the sender(s) to adjust the sending times to accomplish a change of the time order between reception of media and keys. This can be extended such that all receivers feed back information about media reception in order to allow the sender of keys can adapt to the slowest media channel. These alternative embodiments are not preferred, because they introduce further delays and receivers that receive the media stream early increase their risk of buffer overflow, and hence losing a portion of the media stream. It should also be noted that, for example, best-effort Internet does not provide any guarantees on time of delivery, so for time critical media delivery services it is not possible to define the delay of the control channel by the maximum delay on the media channel(s).
  • It is possible to use multiple control channels, or one central control channel. In the case of one central channel, the channel can be seen as a time/clock distribution. Advantages of a central channel alternative include the simplicity of the control system and the reduced capacity needed for transmission of the control signal. In the case of multiple control channels their individual delay can be used to calculate when cryptographic keys can be sent on the individual control channels.
  • The one time cryptographic keys are used as seed values to compute one-time pads (OTP), as described in the Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/. The OTPs are used to encrypt the media stream. After broadcasting the crypto keys on the control channel, the same one-time pads can be computed by any receiver and used to decrypt the encrypted content. An advantage of this is that the media content, even though is may arrive at different times depending on the network over which it was received, cannot be decrypted until the OTP cryptographic keys are received, and this should be at approximately the same time for each receiver.
  • It is possible for the OTP to be broadcast directly on the control channel to obtain the required timing properties, but that would be an inefficient use of bandwidth, since the OTP is as large as the media. By using a pseudo-random number generator (PRNG), with a random and secret cryptographic key as a seed, an OTP can be computed by both the broadcaster and each receiver. By generating a sufficient number of cryptographic keys, the OTPs generated from the sequence of cryptographic keys can be concatenated into a “Super-OTP” of sufficient length for encrypting any media content of arbitrary size. The cryptographic keys and corresponding “basic” OTPs can be generated “on demand”, e.g. during live broadcast.
  • The ratio between the (basic) OTP length and the cryptographic key length must be selected to comply with application specific requirements such as:
      • Efficiency: Acceptable bandwidth ratio between media and control channel (this is the same ratio). Bandwidth ratio refers to the ratio between bandwidth required by the media stream and the bandwidth required by the cryptographic keys. If the cryptographic key were itself an OTP then the ratio would be 1, but as the cryptographic key is a seed for generating an OTP then the bandwidth required by the control channel may be significantly less than the bandwidth required by the media channel.
      • Security: If the key length=basic OTP length (ratio=1), then the encryption scheme is unconditionally secure but, as noted above, inefficient. For larger ratios, the randomness of the OTP depends on the predictability of the pseudo-random number generator.
      • Advance peek: On receipt of the cryptographic key, the entire corresponding basic OTP can be computed immediately. When the cryptographic key used to decode a certain media to be displayed at time t is published, the media at time t+d is also disclosed. If the ratio is relatively high (=the basic OTP is relatively long), then d is relatively large which gives some information about the end of this content chunk before it is due.
  • Note that some of these requirements conflict. Unconditional security and timing control without advance peek can be achieved although this is unlikely to be required. For each given application and context a trade-off has to be made. Assume, for example, that the size ratio between the key and OTP and is large. This means that the required amount of data to be sent over the control channel is a fraction of the required amount of data to be sent over the media channel. Since the control channel has QoS constraints, the cost per bit transmitted is likely to be higher than the cost of sending media streams over best effort channels, and hence the cost for distribution can be shifted between media and control channel by tuning the ratio depending on application. In a time-continuous media distribution setting, a large ratio means that a media player could in principle render the end of the media chunk (say a goal in a football match) before it is supposed to be displayed according to the distribution design. The intended access control would thus be violated, but assuming the size of the advance peek media chunk is not large, this is not a problem in practise. Note that for applications such as stock quotes this is not a problem at all since it may not be necessary to present stock quotes in a particular order.
  • Note also that a receiving device such as a laptop computer or a Set Top Box (STB) should be capable of receiving and playing the broadcast, and so must be able to receive both a control channel and a media channel.
  • Referring now to FIG. 2, there is shown a receiver 5 capable of receiving a media channel 6 and a control channel 7. A Service Provider (SP) 6 provides the media stream and the cryptographic keys. A Media Channel Provider (MCP) 7 and a Control Channel Provider (CCP) 8 receive the media stream and the cryptographic keys respectively from the SP 6, and forward the media stream and the cryptographic keys to the receiver 5. The SP, MCP and CCP may partly or completely coincide. The details in FIG. 2 are explained below in conjunction with the explanation of FIG. 3. Generally, Ex(m) shall denote encryption of message m using key x.
  • The SP 6 protects the content for delivery over a media channel. It provides secret cryptographic keys for delivery over the control channel, associated meta-data such as relevant media identifier(s), time constraints for delivery and associated security management, e.g. the SP 6 may protect the cryptographic keys in transport to the CCP 8 using a security association contained in the agreement. The CCP 8 distributes cryptographic keys in plaintext over a control channel, and the MCP 7 distributes the protected media stream. The Receiver 5 receives both the encrypted media stream and the cryptographic keys, and decrypts the media stream using the cryptographic keys in order to show the content of the media stream.
  • We now describe the cryptographic parts in more detail. The SP 6 fixes the ratio r=the expansion factor in the pseudo-random number generator=the factor between the required bandwidth of the media and control channels by taking into consideration the requirements on security, efficiency etc. as discussed above.
  • Before the service is started, the SP 6 sets up an agreement with one or multiple CCPs 8. With this agreement a CCP 8 commits to distribute cryptographic keys at certain timeliness, and also to ensure the confidentiality of those keys before distribution. Furthermore, the agreement contains any necessary information to establish a protected communication for transportation of cryptographic keys between the SP 6 and the CCP 8 (e.g. which keys to use in a standardized key transportation protocol). The nature of the agreement depends on the trust model between the SP 6 and of the CCPs 8.
  • The SP 6 also sets up agreements with the MCPs 7. This agreement does not require the same security setup as that with the CCPs 8 since the media sent to a MCP 7 is never decrypted by the MCP 8. Note that the media channel need not be implemented as an electronic or optical communication network, but may also be in the form of a physical distribution of digital information such as CD/DVD, magnetic tapes, etc. provided the delay for such distribution is acceptable.
  • Once the agreements are set up, and when the SP 6 has media to distribute, the following sequence occurs, as illustrated in FIG. 3. The media is divided into media chunks of a designated size. The following numbering corresponds to the numbering of FIG. 3:
  • S1. The SP 6 generates a random (and secret) cryptographic key s of a given length |s|=L (e.g. L=64 bits)
    S2. The SP 6 computes a One-Time Pad (OTP) x of length |x|=r*L, using a known Pseudo-Random Number Generator (PRNG) (e.g. ANSI X9.17) with seed s: x=PRNG(s). Note that r is the previously determined ratio.
    S3. The next chunk of media m of length |m|=r*L is protected with the OTP x using a known encryption algorithm Ex(m) (e.g. encrypted using the Vernam cipher c=m XOR x)
    S4. The encrypted media c=Ex(m) is transported to the MCP 7 for distribution over the media channel. As noted above, the media channel need not be aligned with the control channel as long as the media is available before the control signal at the receiver 5.
    S5. The receiver 5 receives the encrypted media c from the MCP 7 and stores the received encrypted media chunks in a buffer.
    S6. Concurrently with steps S4 and S5, the cryptographic key s is protected and transported to the authorized CCP(s) 8 using the agreed key transport protocol and key transport keys. SP may e.g. send Ek(s), i.e. the cryptographic key s encrypted with the key transport key k.
    S7. The cryptographic key s is decrypted, if necessary, and distributed by the CCP(s) in plaintext over the control channel(s) at a certain time.
    S8. The receiver 5 receives the plaintext cryptographic key s and uses it to calculate the OTP x=PRNG(s).
    S9. The receiver uses the calculated OTP x to decrypt the encrypted media chunks c held in the receiver's buffer: DX(c)=Dx(Ex(m))=m, where DX( ) denotes decryption using key x.
  • A header is added to each chunk of media, the header comprising a media identifier and a sequence number of the chunk. If the media channel is not multiplexed with other media channels, the media channel ID can be made implicit, and need not be repeated for each chunk. If the media channel supports some internal sequence numbering of the chunks, the sequence number can also be implicit. The control signal packets are provided with headers in the same manner. In this way, a given cryptographic key can be matched with a corresponding media chunk.
  • Note that the flow diagram of FIG. 3 does not discuss transport of the cryptographic key s between the SP 6 and the CCP 8. There are several ways in which s can be transported, some examples of which are as follows:
      • a. Just in time: The SP 6 delays the transport to the CCP 8 such that it can be redistributed directly by the CCP 8 on the control channel at the anticipated arrival to the CCP 8. This setting does not require the CCP 8 to keep the keys confidentially in storage and also does not risk any advance pre-view should the CCP 8 have problems with sending the control system at the required time.
      • b. Advance transport of keys: The SP 6 sends the cryptographic keys consecutively to the CCP 8, and expects the CCP 8 to store each key confidentially until its their correct distribution time. If a cryptographic key is being sent to the receiver 5 too early this will result in a slight preview, with limited damage. There is also the option for the SP 6 to audit the control channel and in this case “punish” a faulting CCP 8 by terminating the cryptographic key flow in the middle of a session.
      • c. Batches of keys: The SP 6 pre-generates and distributes a set of cryptographic keys. Again, the SP 6 expects the CCP 8 to store the keys confidentially until the correct distribution time. Sending a batch of keys can be more efficient and avoids the SP 6 and CCP 8 having to rely on the availability of their communication channel. But the trust in the CCP 8 must be greater since it is required to keep the cryptographic keys confidential for a longer period of time.
  • In an optional embodiment that can be used to optimize certain data exchange, in particular between the SP 6 and the CCP 8, the SP 6 generates a hash chain, s1, . . . , sN, where s1 is random and si+1=h(si) for i=1, . . . , N−1, where h is a known secure one-way hash function (a current example would be, for example, SHA256, as described in http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf) and the size of content for the given session <r*L*N. Alternatively, to determine the required length of the hash chain for a given content size S:N>Sl(r*L).
  • The cryptographic keys used are the reversed hash chain i.e. sN, . . . , s1, since knowledge of one element allows derivation of elements with a higher index but not elements with a lower index, and so access to one key enables instant access to all previous keys, but not access to future keys.
  • Where batches of keys are pre-generated by the SP 6 and distributed to the CCP 8 in advance, it is sufficient for the SP 6 to send only one cryptographic key s1 to the trusted CCP 8 for a given session, since all necessary security data can be derived from that using the hash function and the PRNG.
  • Referring now to FIG. 4, an example of signalling illustrates events taking place at different times and in the different nodes in a media and key distribution scenario according to an embodiment of the invention.
  • Only one receiver 5 is illustrated, which receives content over three media channels (A, B, C) and control information over two channels (1,2), but the example would apply to many receivers R1, . . . , Rn, each receiver receiving content and keys over a different media channel and/or control channel, in which R1=(A,1), R2=(A,2), R3=(B,1) etc.
  • Protected content Ex(m) is distributed using one or more Media Channel Providers over three different media channels (illustrated by dashed lines) having different bandwidths, and arriving at the Receiver 5 at times t1, t2 and t3 respectively. Protected keys Ek1(s) and Ek2(s) are sent from the SP 6 to two Control Channel Providers CCP1 and CCP2 at times r1 and r2, respectively, which may occur before or after the media transport. The CCPs decrypt the key s and, on the basis of the QoS on their respective control channels, transmit the key s in plaintext at times u1 and u2, respectively, such that they arrive at the Receiver at approximately time TC. Note that TC is calculated to be greater than any of t1, t2 or t3 to ensure that the key s arrives after the media.
  • Each key s is associated with a target arrival time TC, which is specified by the SP based on the timeliness requirements of the service and the expected arrival times of the content t1. The relevant information, TC or information required to calculate TC (such as the expected delays for the media channels and the maximum acceptable delay for the service), is delivered from the SP to a CCP in conjunction with the delivery of the protected key. CCP1 schedules the key sending time u1 based on the intended arrival time TC and characteristics of the control channel. Similarly, CCP2 schedules the sending time u2 based on the same intended arrival time TC and potentially different control channel characteristics. A CCP must consider the possible different transmission times to different receivers to ensure that the arrival time of the key at the receiver does not significantly deviate from the target arrival time TC.
  • In a very simple exemplary embodiment, there is only one CCP and one MCP, both embodied in the SP. The SP estimates a required delay for the control signalling. The estimate has a lower limit of the expected transmission times on the media channels and an upper limit by the service requirements. This should provide the SP with a ‘window’ of acceptable delays. If the SP does not have an acceptable window of delays, then it must select media channels with faster transmission time or loosen the service requirements. The SP specifies a value of the predetermined delay of the control channel signalling within this interval. For a given encrypted media chunk Ex(m), and its expected time(s) of arrival over relevant media channel(s) it is now possible to calculate TC based on the predetermined delay. The SP sends the associated cryptographic key s at time u=TC (transmission time on the control channel).
  • Referring now to FIG. 5, the Receiver 5 receives encrypted content over the media channel 9 and control data over the control channel 10. Encrypted media chunks are stored in a buffer arrangement 13 in the receiver 5 where they can be accessed based on media identifier and sequence number.
  • In the case of offline media distribution such as CD/DVD, the CD/DVD constitutes the media channel itself and the media is already stored on the CD/DVD, and so the CD/DVD effectively acts as the “buffer”.
  • The control channel is scanned in real time by a processing unit with capacity matching the line speed of the control channel. Each received control signal packet is placed in a media channel specific FIFO control signal buffer, part of buffer arrangement 13, for further processing. The processor is arranged to match received control data to a corresponding media chunk thereby enabling decryption of media chunk using the control data.
  • For each media channel, a decoding unit performs the following steps:
  • T1. The first control signal buffer is read.
    T2. The sequence number k is extracted from the control signal packet header and is used retrieve the corresponding encrypted media chunk c from the media channel buffer.
    T3. In parallel, the associated OTP x is computed using the PRNG with seed s as read from the control signal buffer. Because the SP and the receiver use the same PRNG and seed s, they will each generate the same OTP x.
    T4. The media chunk c is decrypted using the known decryption algorithm with key x (e.g. if the Vernam cipher was used then m=c XOR x). The media m is now available to the receiver 5 in plaintext.
    T5. The plaintext media m is rendered by the receiver.
    T6. If needed, garbage collection could be implemented for the media channel buffer to avoid buffer overflow. This step can be interleaved with other steps.
  • In an alternative embodiment a key buffer is provided in order to manage a scenario in which a media channel has a sufficiently large delay to cause media to appear after the corresponding key. The key buffer may be included in the buffer arrangement 13 shown in FIG. 5.
  • Referring to FIG. 6, there is illustrated a receiver 5 according to an embodiment of the invention. The receiver 5 comprises a first 11 and second 12 receiver for receiving signalling from the media channel 9 and the control channel 10 respectively. Of course, the receivers may be constituted in a single receiver. A buffer arrangement 13 is provided for storing received encrypted media chunks. A processor 14 is also provided for using a cryptographic key received over the control channel to decrypt associated media chunks retrieved from the buffer arrangement 13. Means (not shown) are also provided to pass the decrypted media chunks to another function or node for rendering.
  • Referring to FIG. 7 herein, there is illustrated a Control Channel Provider node 8 according to an embodiment of the invention. A receiver 15 is provided for receiving from a Service Provider node a cryptographic key to be used to decrypt a media chunk. The received cryptographic key may itself be encrypted for protection during transport between a Service Provider and the Control Channel Provider node. A processor 16 is provided for handling the cryptographic key, and a memory 17 may be provided for storing the cryptographic key. The processor 16 determines when each cryptographic key should be sent on the time-guaranteed control channel to the receiver node, meaning that the control channel should have constant predictable delay. This determination may be based on QoS characteristics of the control channel. A transmitter 18 is also provided for sending the cryptographic key to the receiver node 5 on the control channel 10. The cryptographic key is preferably sent in plaintext, in which case the processor must decrypt the cryptographic key prior to sending it.
  • By using a common control channel with a guaranteed delay, it possible to broadcast media using different broadcast technologies and have the media displayed at approximately the same time on all the recipients' receivers regardless of the broadcast technology used. The invention can be used for controlled distribution of any type of digital information that should only be disclosed at a certain time or pace, e.g. IPR protected material, stock quotes, live sports events, press releases etc.
  • Note that the receiver does not need to pre-establish any security data with any party before the reception of cryptographic keys, since the keys are sent in plaintext. The receiver need only wait until all cryptographic information is available before the encrypted media can be decrypted and rendered. Naturally, the end-user will wish to have access to the media content as soon as possible after the media and control data has been made available, and so it is likely that all recipients of the broadcast will be able to view it at the same time regardless of the broadcast technology used. Furthermore, the time-guaranteed control channel only requires a narrow bandwidth, and therefore has low costs associated with it.
  • It will be appreciated by the person of skill in the art that various modifications may be made to the embodiments described above without departing from the scope of the present invention.

Claims (18)

1-17. (canceled)
18. A method of receiving time-controlled media for disclosure at certain time or pace, the method comprising, at a receiver node:
receiving an encrypted media chunk over a media channel;
storing the encrypted media chunk in a memory;
after receiving the encrypted media chunk, receiving cryptographic materials relating to the media chunk over a time guaranteed control channel with predictable delay; and
using the cryptographic materials to decrypt the encrypted media chunk.
19. The method of claim 18, further comprising:
using a value derived from the received cryptographic materials as a seed value for seeding a pseudo random number generator;
generating a One Time Pad using the seed value and the pseudo random number generator; and
using the One Time Pad to decrypt the encrypted media chunk.
20. The method of claim 18, wherein the cryptographic materials comprise a One Time Pad.
21. The method of claim 18, wherein the cryptographic materials are received in a plaintext format.
22. The method of claim 18, wherein the control channel has predetermined Quality of Service characteristics, the method further comprising receiving the cryptographic materials after a predetermined delay after receiving the encrypted media chunk, the predetermined delay determined using the Quality of Service characteristics of the control channel and an estimate of the media chunk arrival time based on the media chunk transmission time.
23. The method of claim 18, further comprising rendering the decrypted media chunk.
24. A method of transmitting time-controlled media for disclosure at certain time or pace, the method comprising:
distributing cryptographic materials used to encrypt a media chunk, the cryptographic materials being sent over a time-guaranteed control channel with predictable delay, such that the cryptographic materials are received by a remote receiver after reception of the encrypted media chunk.
25. The method of claim 24, further comprising:
prior to encrypting the media chunk, using a value derived from the cryptographic materials as a seed value for seeding a pseudo random number generator;
generating a One Time Pad using the seed value and the pseudo random number generator; and
using the One Time Pad to encrypt the media chunk.
26. The method of claim 25, further comprising:
generating a plurality of seed values using a one-way hash function, each seed value of the plurality of seed values being associated with a media chunk.
27. A method of distributing time-controlled media for disclosure at certain time or pace, the method comprising:
at a service provider node,
encrypting a media chunk using cryptographic materials;
sending the encrypted media chunk over a media channel; and
distributing the cryptographic materials over a time-guaranteed control channel with predictable delay, such that the cryptographic materials are received by a remote receiver node after the remote receiver node receives the encrypted media chunk;
at a receiver node,
receiving the encrypted media chunk over the media channel;
storing the encrypted media chunk in a memory;
receiving the cryptographic materials over the time-guaranteed channel;
using the cryptographic materials to decrypt the encrypted media chunk; and
rendering the decrypted media chunk.
28. The method of claim 27, further comprising:
at the service provider node,
prior to encrypting the media chunk using a value derived from the cryptographic materials as a seed value for seeding a pseudo random number generator;
generating a One Time Pad using the seed value and the pseudo random number generator; and
using the One Time Pad to encrypt the media chunk; and
at the receiver node,
after receipt of the cryptographic materials, using the value derived from the received cryptographic materials as a seed value for seeding a pseudo random number generator;
generating a One Time Pad using the seed value and the pseudo random number generator; and
using the One Time Pad to decrypt the encrypted media chunk.
29. A receiver node for receiving time-controlled media for disclosure at certain time or pace, the receiver node comprising:
a first receiver operative to receive an encrypted media chunk over a media channel;
a buffer arrangement operative to store the encrypted media chunk;
a second receiver operative to receive cryptographic materials relating to the media chunk over a time-guaranteed control channel with predictable delay;
a processor operative to match received cryptographic materials to a corresponding stored media chunk; and
a processor operative to decrypt the encrypted media chunk using the received cryptographic materials.
30. A Control Channel Provider node for providing cryptographic materials related to time-controlled media chunks transmitted over a media channel for disclosure at certain time or pace, the Control Channel Provider node comprising:
a receiver operative to receive from a Service Provider node cryptographic materials to be used to decrypt a media chunk;
a transmitter operative to transmit the cryptographic materials over a time-guaranteed control channel with predictable delay such that the cryptographic materials are arranged to be received by a remote node after the remote node has received the media chunk.
31. The Control Channel Provider node of claim 30, wherein the transmitter is operative to transmit the cryptographic materials in a plaintext format.
32. The Control Channel Provider node of claim 30, wherein the cryptographic materials comprise a seed value operative to be used to generate a One Time Pad by seeding a pseudo random number generator.
33. The Control Channel Provider node of claim 30, further comprising a determining function operative to determine when to transmit the cryptographic materials, the determination being made on the basis of an estimated arrival time of the cryptographic material at the remote node.
34. The Control Channel Provider node of claim 33, wherein the estimated arrival time of the cryptographic material is determined in part according to a media chunk transmission time.
US12/866,474 2008-02-07 2008-03-25 Controlling Media Distribution Abandoned US20100325415A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
GB0802186.7 2008-02-07
GB0802186A GB2457253B (en) 2008-02-07 2008-02-07 Controlling media distribution
PCT/SE2008/050327 WO2009099359A1 (en) 2008-02-07 2008-03-25 Controlling media distribution

Publications (1)

Publication Number Publication Date
US20100325415A1 true US20100325415A1 (en) 2010-12-23

Family

ID=39204340

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/866,474 Abandoned US20100325415A1 (en) 2008-02-07 2008-03-25 Controlling Media Distribution

Country Status (5)

Country Link
US (1) US20100325415A1 (en)
EP (1) EP2243276B1 (en)
CN (1) CN101939962A (en)
GB (1) GB2457253B (en)
WO (1) WO2009099359A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120321080A1 (en) * 2011-06-14 2012-12-20 Candelore Brant L TV Receiver Device with Multiple Decryption Modes
US20130326081A1 (en) * 2012-05-29 2013-12-05 Avaya Inc. Enterprise class virtual desktop infrastructure
WO2016147382A1 (en) * 2015-03-19 2016-09-22 三菱電機株式会社 Encrypted communication system terminal device, encrypted communication system relay device, and encrypted communication system control method
US10305479B1 (en) * 2018-06-12 2019-05-28 Nxp B.V. Fault attack protection against synchronized fault injections
US10742698B2 (en) 2012-05-29 2020-08-11 Avaya Inc. Media contention for virtualized devices

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9313531B2 (en) 2010-10-06 2016-04-12 Thomson Licensing Device and method for content delivery adapted for synchronous playbacks
CN106791935A (en) * 2016-12-23 2017-05-31 中山大学 A kind of Internet video first broadcast method and system

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3003000A (en) * 1959-07-01 1961-10-03 Research Corp Organic peroxides
US5400403A (en) * 1993-08-16 1995-03-21 Rsa Data Security, Inc. Abuse-resistant object distribution system and method
US5748731A (en) * 1996-07-02 1998-05-05 Shepherd; Henry G. Electronic trading cards
US6266413B1 (en) * 1998-06-24 2001-07-24 Benyamin Ron System and method for synchronizing one time pad encryption keys for secure communication and access control
US20020097878A1 (en) * 1997-07-07 2002-07-25 Hiromichi Ito Key controlling system, key controlling apparatus, information encrypting apparatus, information decrypting apparatus and storage media for storing programs
US20030002675A1 (en) * 2001-06-29 2003-01-02 Graunke Gary L. Method and apparatus for simultaneous encryption and decryption of publicly distributed media
US20030149869A1 (en) * 2002-02-01 2003-08-07 Paul Gleichauf Method and system for securely storing and trasmitting data by applying a one-time pad
US20030188188A1 (en) * 2002-03-15 2003-10-02 Microsoft Corporation Time-window-constrained multicast for future delivery multicast
US20040158533A1 (en) * 2003-02-06 2004-08-12 Steve Messick Simultaneous network news distribution
US20050010691A1 (en) * 2003-06-30 2005-01-13 Randy Oyadomari Synchronization of timestamps to compensate for communication latency between devices
US20050021774A1 (en) * 2003-05-23 2005-01-27 Shinichi Kurihara Content delivery service providing apparatus and content delivery service terminal unit
US20050168630A1 (en) * 2004-02-04 2005-08-04 Seiko Epson Corporation Multi-screen video playback system
US20060115084A1 (en) * 2004-11-19 2006-06-01 Lg Electronics Inc. Conditional access for a multimedia broadcast service using a wireless terminal
US7159112B1 (en) * 2003-08-26 2007-01-02 Nvidia Corporation Decryption of graphics data in a graphics processing pipeline
US20070016778A1 (en) * 2001-08-31 2007-01-18 Lyle James D Method and apparatus for encrypting data transmitted over a serial link
US20070047552A1 (en) * 2003-12-22 2007-03-01 David Astely Measurement method for spatial scheduling
US20080124056A1 (en) * 2006-06-23 2008-05-29 Steve Concotelli Media playback system
US8532292B2 (en) * 2006-05-16 2013-09-10 Kyocera Corporation Stream generation method, broadcast receiving apparatus, and display method

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6591420B1 (en) * 1999-08-25 2003-07-08 Warner Music Group, Inc. Remote control system for audio and video content
CN1173570C (en) * 2000-01-28 2004-10-27 开放电视公司 Interactive TV. systemand method for simultineous transmission and rendering of multiple encoded video streams
TWI236250B (en) * 2001-09-12 2005-07-11 Nagravision Sa Data transmission method between a local server and local peripherals
EP1714463A1 (en) * 2004-02-05 2006-10-25 Koninklijke Philips Electronics N.V. Encrypted content parallel to free broadcast
EP1855223A1 (en) * 2006-05-12 2007-11-14 Telefonaktiebolaget LM Ericsson (publ) Extending the DRM realm to external devices

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3003000A (en) * 1959-07-01 1961-10-03 Research Corp Organic peroxides
US5400403A (en) * 1993-08-16 1995-03-21 Rsa Data Security, Inc. Abuse-resistant object distribution system and method
US5748731A (en) * 1996-07-02 1998-05-05 Shepherd; Henry G. Electronic trading cards
US20020097878A1 (en) * 1997-07-07 2002-07-25 Hiromichi Ito Key controlling system, key controlling apparatus, information encrypting apparatus, information decrypting apparatus and storage media for storing programs
US6266413B1 (en) * 1998-06-24 2001-07-24 Benyamin Ron System and method for synchronizing one time pad encryption keys for secure communication and access control
US6445794B1 (en) * 1998-06-24 2002-09-03 Benyamin Ron System and method for synchronizing one time pad encryption keys for secure communication and access control
US20030002675A1 (en) * 2001-06-29 2003-01-02 Graunke Gary L. Method and apparatus for simultaneous encryption and decryption of publicly distributed media
US20070016778A1 (en) * 2001-08-31 2007-01-18 Lyle James D Method and apparatus for encrypting data transmitted over a serial link
US20030149869A1 (en) * 2002-02-01 2003-08-07 Paul Gleichauf Method and system for securely storing and trasmitting data by applying a one-time pad
US20030188188A1 (en) * 2002-03-15 2003-10-02 Microsoft Corporation Time-window-constrained multicast for future delivery multicast
US20040158533A1 (en) * 2003-02-06 2004-08-12 Steve Messick Simultaneous network news distribution
US20050021774A1 (en) * 2003-05-23 2005-01-27 Shinichi Kurihara Content delivery service providing apparatus and content delivery service terminal unit
US20050010691A1 (en) * 2003-06-30 2005-01-13 Randy Oyadomari Synchronization of timestamps to compensate for communication latency between devices
US7159112B1 (en) * 2003-08-26 2007-01-02 Nvidia Corporation Decryption of graphics data in a graphics processing pipeline
US20070047552A1 (en) * 2003-12-22 2007-03-01 David Astely Measurement method for spatial scheduling
US20050168630A1 (en) * 2004-02-04 2005-08-04 Seiko Epson Corporation Multi-screen video playback system
US20060115084A1 (en) * 2004-11-19 2006-06-01 Lg Electronics Inc. Conditional access for a multimedia broadcast service using a wireless terminal
US8532292B2 (en) * 2006-05-16 2013-09-10 Kyocera Corporation Stream generation method, broadcast receiving apparatus, and display method
US20080124056A1 (en) * 2006-06-23 2008-05-29 Steve Concotelli Media playback system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Dan Cornell, "Cleartext vs. Plaintext vs. Ciphertext vs. PLaintext vs. Clear Text", 10/19/2007, Denim Group, Pages 1- 2. *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120321080A1 (en) * 2011-06-14 2012-12-20 Candelore Brant L TV Receiver Device with Multiple Decryption Modes
US9392318B2 (en) * 2011-06-14 2016-07-12 Sony Corporation Receiver device with multiple decryption modes
US20130326081A1 (en) * 2012-05-29 2013-12-05 Avaya Inc. Enterprise class virtual desktop infrastructure
US10009404B2 (en) * 2012-05-29 2018-06-26 Avaya Inc. Enterprise class virtual desktop infrastructure
US10742698B2 (en) 2012-05-29 2020-08-11 Avaya Inc. Media contention for virtualized devices
WO2016147382A1 (en) * 2015-03-19 2016-09-22 三菱電機株式会社 Encrypted communication system terminal device, encrypted communication system relay device, and encrypted communication system control method
US10305479B1 (en) * 2018-06-12 2019-05-28 Nxp B.V. Fault attack protection against synchronized fault injections

Also Published As

Publication number Publication date
EP2243276B1 (en) 2019-07-10
GB2457253A (en) 2009-08-12
WO2009099359A1 (en) 2009-08-13
CN101939962A (en) 2011-01-05
EP2243276A4 (en) 2014-11-26
GB2457253B (en) 2010-08-11
GB0802186D0 (en) 2008-03-12
EP2243276A1 (en) 2010-10-27

Similar Documents

Publication Publication Date Title
US11627119B2 (en) Fine grain rights management of streaming content
US8213602B2 (en) Method and system for encrypting and decrypting a transport stream using multiple algorithms
US7693278B2 (en) Data distribution apparatus and data communications system
EP2243276B1 (en) Controlling media distribution
RU2439668C2 (en) Methods to scramble and to unscramble data units
RU2333608C2 (en) Method and device for provision of protection in data processing system
US7702904B2 (en) Key management system and multicast delivery system using the same
KR100863748B1 (en) Method for generating the counter block value
JP2004289847A (en) Updatable conditional access system
EP1051036A2 (en) Cryptographic method and apparatus for restricting access to transmitted programming content using hash functions and program identifiers
US20020114453A1 (en) System and method for secure cryptographic data transport and storage
US10084492B2 (en) Method and system for non-persistent real-time encryption key distribution
CA2742029C (en) Method and system for identity-based key management
US20100098249A1 (en) Method and apparatus for encrypting data and method and apparatus for decrypting data
JP5795709B2 (en) Supplying control word to receiver
BRPI0208498B1 (en) security method and equipment in a data processing system
WO2011120901A1 (en) Secure descrambling of an audio / video data stream
US20080298580A1 (en) Content delivery server and content delivery system
ES2703395T3 (en) Methods of decryption, transmission and reception of control words, registration support and server for these methods
US7836300B2 (en) Security integrated circuit
WO2007132895A1 (en) Encryption device, decryption device, license issuing device, and content data generation method
JP2008092432A (en) Method for transmitting digital contents and receiver
Narayanan et al. Practical pay TV schemes
JP2007158634A (en) Method for transmitting digital content and device for receiving digital content
KR20050064289A (en) Apparatus and method for scrambling of high data

Legal Events

Date Code Title Description
AS Assignment

Owner name: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL), SWEDEN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:OHLMAN, BORJE;SELANDER, GORAN;SIGNING DATES FROM 20080212 TO 20080217;REEL/FRAME:024799/0378

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION